Bug 396861 (CVE-2007-6206)

Summary: CVE-2007-6206 Issue with core dump owner
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 23:33:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 396941, 396951, 396961, 396971, 396981, 396991, 397001    
Bug Blocks:    
Attachments:
Description Flags
Simple crashing file producing core dump files none

Description Jan Lieskovsky 2007-11-23 15:06:43 UTC 
Description of problem:

In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and 
root runs a process that drops core in the same location, the original core 
file owned by the non root user is replaced with root's core dump, except the 
original owner maintains ownership of the core.

This one is public via: 

http://bugzilla.kernel.org/show_bug.cgi?id=3043

This one has not CVE number assigned yet, will attach it, as soon as this one
gets one.
Comment 2 Jan Lieskovsky 2007-11-23 15:17:25 UTC 
Created attachment 267571 [details]
Simple crashing file producing core dump files

Attaching simple crashing C file producing core dump files.
Comment 4 Jan Lieskovsky 2007-12-04 15:00:20 UTC 
Escalating severity of this issue, as I got some additional information.
Comment 5 Mark J. Cox 2008-01-21 10:07:03 UTC 
" A security flaw was found in the mechanism the Linux kernel uses to handle
the core dump files creation. If a core file owned by a local,
authenticated, non-root user existed and root ran process that wrote a core
file to the same directory, the original non-root's core file would be
replaced by root's core file, which could make sensitive information
available to unauthorized users. (CVE-2007-6206, Moderate). "
Comment 7 Mark J. Cox 2008-01-21 13:42:14 UTC 
Note that by default on Red Hat Enterprise Linux, core files are created with
filenames containing the pid.  This would make it harder to exploit this issue
as not only do you need to get a root-process to dump core into a directory in
which you have write access, but you also need to know the pid of the thing
that's going to dump core (or create a lot of files).
Comment 9 Vincent Danen 2010-12-22 23:33:24 UTC 
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0055)
Red Hat Enterprise Linux version 5 (RHSA-2008:0089)
Red Hat Enterprise Linux version 3 (RHSA-2008:0211)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)